Use directory watcher to audit deleted files

File / Folder Watcher, as a part of Automation Workshop, is a directory watcher tool that monitors folders and files for changes in their contents. When the specified type of content modification (e.g. file or folder creation, modification, deletion or renaming) is detected in monitored folder, the directory watcher automatically runs the associated Task which reacts to these changes.

In this tutorial we will perform a simple Windows file auditing, namely, auditing file deletion. We will set File / Folder Watcher to watch a directory for an event of file deletion. In case of such an event, the directory watcher will run a Task that contains the Send Email Action configured to send a notification email to network administrator with full path and name of deleted file (as well as the name of computer on which it took place).

How to add File / Folder Watcher? Once in Task Wizard, go to the Triggers tab and click the Add button. Choose File / Folder Watcher Trigger and click OK. This will open the Folder tab of File / Folder Watcher settings. Specify the folder to watch (the C:\Important data\ folder will be used in this tutorial) and whether to monitor its subdirectories (by marking the Also, watch in subfolders checkbox).

Using directory watcher to audit the C:\Important data folder and its subfolders.

Now, let us go to the Conditions tab of File / Folder Watcher and choose what events to monitor for. Since the idea was to audit deleted files, let us choose appropriate option, namely, Watch for deleted files.

Set directory watcher to audit deleted files.

Now, let us save the directory watcher settings and click OK. The File / Folder Watcher Trigger should appear in the Triggers list in Task Wizard, indicating that the C:\Important files\ directory will be watched for deleted files. Now let click the Next button to go to the Action tab.

How to configure Send Email to report changes detected by directory watcher? In the Action tab of Task Wizard click the Add button. Choose the Send Email Action from the Email category and click OK to enter its settings. Specify the sender's and recipient's email addresses, provide an email subject line and message text.

Note the green Computer name and Filename values that are not just regular text, but dynamic Variable Wizard values that upon Task execution are substituted by actual computer name and name of deleted file.

Let us see how to add dynamic Variable Wizard value to email message text. Click on Variable Wizard button next to the Email text field to open the Variable Wizard window.

An Action can take the name of deleted file directly from directory watcher.

To retrieve name of deleted file from the Trigger, choose File / Folder Watcher in the Triggers category and note that Full path and filename will be returned. Click OK and see the Filename variable appear. The email text will contain just name of the file (not the file itself). To add the file itself to the email, the same dynamic value would need to be used in the Attachment field (if it was not referring to deleted file, that is).

Note that the Computer name from the System category is added to the email subject field in very similar manner.

Click Ok to return to Task Wizard and note that the Send Email Action has been added. Now continue with the remaining steps of Task creation, such as Run As settings that determine user credentials the Task is executed with, email reports of Task failed or successful completion and Task information including its name and description. Finish the Task.

Summary. We have just created a Task that will perform a simple audit of deleted files by continuously monitoring the C:\Important data\ directory and its subdirectories (using File / Folder Watcher). When a file in this directory is deleted, the Task will send an email message that contains the name of computer and full path and filename (using Send Email). The Send Email Action gets the name of deleted file from File / Folder Watcher and the name of computer from the Windows by using Variable Wizard.